[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2-utEZ_GehRcr8p5K2m3KonnGkjJw9lWemql1XB4l_g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-25397","file-uploader-for-woocommerce-unauthenticated-path-traversal","File Uploader for WooCommerce \u003C= 1.0.4 - Unauthenticated Path Traversal","The File Uploader for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to perform actions on files outside of the originally intended directory.","file-uploader-for-woocommerce",null,"\u003C=1.0.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-03-23 00:00:00","2026-04-02 15:10:08",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa6258be3-2f9e-476d-84d5-5014818ef3ab?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-25397 (File Uploader for WooCommerce)\n\n## 1. Vulnerability Summary\nThe **File Uploader for WooCommerce** plugin (versions \u003C= 1.0.4) contains an unauthenticated path traversal vulnerability. The flaw exists because the plugin's AJAX handlers for file management (specifically file deletion or removal) fail to properly sanitize user-supplied file paths. An attacker can use directory traversal sequences (`..\u002F`) to point to files outside the intended upload directory and trigger actions (like deletion) on sensitive system files such as `wp-config.php`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `fufw_remove_uploaded_file` (inferred from common plugin patterns) or similar file-handling actions.\n- **HTTP Method:** `POST`\n- **Vulnerable Parameter:** `file_path` or `file_url` (inferred).\n- **Authentication:** Unauthenticated (`wp_ajax_nopriv_` hook is utilized).\n- **Preconditions:** The plugin must be active. A valid AJAX nonce may be required if the developer implemented CSRF protection but failed to restrict the path.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers an unauthenticated AJAX hook:\n   `add_action( 'wp_ajax_nopriv_fufw_remove_uploaded_file', array( $this, 'fufw_remove_uploaded_file' ) );`\n2. **Input Acquisition:** The handler retrieves a file path from the request:\n   `$file_to_delete = $_POST['file_path'];`\n3. **Vulnerable Logic:** The code may attempt to resolve the path or URL without validating that it stays within the designated uploads folder (e.g., `wp-content\u002Fuploads\u002Ffufw\u002F`).\n4. **Sink:** The unsanitized path is passed to a filesystem function:\n   `unlink( $file_to_delete );` or `wp_delete_file( $file_to_delete );`\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely enqueues a script on WooCommerce product pages where file uploading is enabled. This script typically carries a nonce via `wp_localize_script`.\n\n1. **Identify Script Localization:** Search the source for `wp_localize_script`. Look for a variable name like `fufw_object`, `fufw_vars`, or `fufw_data`.\n2. **Identify the Nonce Key:** Within that object, look for a key like `nonce` or `fufw_nonce`.\n3. **Triggering the Script:**\n   - Create a WooCommerce product if none exists.\n   - Navigate to the product page.\n4. **Acquisition Steps:**\n   - **Step 1:** Create a test product: `wp post create --post_type=product --post_title=\"Test Product\" --post_status=publish`\n   - **Step 2:** Use `browser_navigate` to visit the product page.\n   - **Step 3:** Use `browser_eval` to extract the nonce:\n     `browser_eval(\"window.fufw_vars?.nonce || window.fufw_data?.nonce\")` (Verify the exact variable name in the source).\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate path traversal by deleting a \"canary\" file created in the WordPress root or another safe directory.\n\n1. **Create Canary File:** Create a file named `secret.txt` in the WordPress root directory using `wp-cli`.\n2. **Craft Payload:** Use a traversal path to target the canary file. If the plugin expects a path relative to the uploads folder, the payload would look like: `..\u002F..\u002F..\u002F..\u002Fsecret.txt`.\n3. **Send Request:**\n   ```http\n   POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n   Content-Type: application\u002Fx-www-form-urlencoded\n\n   action=fufw_remove_uploaded_file&nonce=[NONCE]&file_path=..\u002F..\u002F..\u002F..\u002Fsecret.txt\n   ```\n4. **Analyze Response:** A successful deletion might return a JSON success message `{\"success\":true}` or a simple `1`.\n\n## 6. Test Data Setup\n- **Plugin Installation:** Ensure `file-uploader-for-woocommerce` version 1.0.4 is installed.\n- **Canary File:** \n  `echo \"canary\" > \u002Fvar\u002Fwww\u002Fhtml\u002Fsecret.txt`\n- **WooCommerce Product:**\n  `wp post create --post_type=product --post_title=\"Upload Test\" --post_status=publish`\n- **Shortcode Check:** Verify if the plugin requires a specific setting (e.g., \"Enable File Upload\") on the product to render the scripts\u002Fnonces.\n\n## 7. Expected Results\n- The AJAX request returns a status indicating the file was processed.\n- The file `\u002Fvar\u002Fwww\u002Fhtml\u002Fsecret.txt` is successfully deleted from the server.\n- The server logs do not show any \"Permission Denied\" or \"Invalid Path\" errors that would indicate proper sanitization (like `basename()`).\n\n## 8. Verification Steps\n1. **Check File Existence (Before):** `ls \u002Fvar\u002Fwww\u002Fhtml\u002Fsecret.txt` should show the file.\n2. **Execute Exploit:** Send the `http_request`.\n3. **Check File Existence (After):** `ls \u002Fvar\u002Fwww\u002Fhtml\u002Fsecret.txt` should return \"No such file or directory\".\n\n## 9. Alternative Approaches\n- **Path via URL:** If the plugin accepts a URL instead of a path, try: `file_url=http:\u002F\u002Flocalhost\u002Fwp-content\u002Fuploads\u002F..\u002F..\u002F..\u002F..\u002Fsecret.txt`.\n- **Different Actions:** Search for other AJAX actions like `fufw_delete_temp_file` or `fufw_cancel_upload`.\n- **Directory Deletion:** If the sink is `rmdir()` or a recursive delete, attempt to target a directory.\n- **Path Normalization Bypass:** If `..\u002F` is filtered, try `..\\` (on Windows-based setups, though less likely here) or URL-encoded traversal `%2e%2e%2f`.","The File Uploader for WooCommerce plugin is vulnerable to unauthenticated path traversal via its AJAX file management handlers. Attackers can provide paths containing directory traversal sequences (e.g., '..\u002F..\u002F') to target and delete sensitive files outside the intended uploads directory, such as wp-config.php.","\u002F\u002F Inferred from research plan code flow\n\u002F\u002F Path: likely in an AJAX handler class within the plugin\n\nadd_action( 'wp_ajax_nopriv_fufw_remove_uploaded_file', array( $this, 'fufw_remove_uploaded_file' ) );\n\npublic function fufw_remove_uploaded_file() {\n    \u002F\u002F Missing validation of the path structure\n    $file_path = $_POST['file_path'];\n    \n    if ( file_exists( $file_path ) ) {\n        unlink( $file_path );\n    }\n    wp_send_json_success();\n}","--- a\u002Fincludes\u002Fclass-fufw-ajax.php\n+++ b\u002Fincludes\u002Fclass-fufw-ajax.php\n@@ -10,6 +10,12 @@\n public function fufw_remove_uploaded_file() {\n-    $file_path = $_POST['file_path'];\n-    if ( file_exists( $file_path ) ) {\n-        unlink( $file_path );\n+    $filename = basename( $_POST['file_path'] );\n+    $upload_dir = wp_upload_dir();\n+    $base_dir = $upload_dir['basedir'] . '\u002Ffufw\u002F';\n+    $full_path = $base_dir . $filename;\n+\n+    if ( file_exists( $full_path ) && strpos( realpath( $full_path ), realpath( $base_dir ) ) === 0 ) {\n+        unlink( $full_path );\n     }\n     wp_send_json_success();\n }","1. Locate a WooCommerce product page where the file uploader is enabled to extract the required AJAX nonce from the localized JavaScript (e.g., from window.fufw_vars.nonce).\n2. Identify the target file for deletion on the server (e.g., wp-config.php).\n3. Craft an unauthenticated AJAX request to \u002Fwp-admin\u002Fadmin-ajax.php with the action set to 'fufw_remove_uploaded_file'.\n4. Set the 'file_path' parameter to a traversal string that points to the target file (e.g., '..\u002F..\u002F..\u002F..\u002Fwp-config.php').\n5. Send the POST request to the server; if the plugin fails to sanitize the path using basename() or validate it against a whitelist directory, the targeted file will be deleted via the unlink() function.","gemini-3-flash-preview","2026-04-18 00:02:49","2026-04-18 00:03:04",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffile-uploader-for-woocommerce\u002Ftags"]